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[This version appears with the permission of the ACM. Only mi- 
nor typographical changes have been made from the version which 
appeared in the proceedings of STOC 2002.] 

ABSTRACT 

Secure multi-party computing, also called secure function evalua- 
tion, has been extensively studied in classical cryptography. We 
consider the extension of this task to computation with quantum 
inputs and circuits. Our protocols are information-theoretically se- 
cure, i.e. no assumptions are made on the computational power 
of the adversary. For the weaker task of verifiable quantum secret 
sharing, we give a protocol which tolerates any t < n/4 cheating 
parties (out of n). This is shown to be optimal. We use this new 
tool to show how to perform any multi-party quantum computation 
as long as the number of dishonest players is less than n/6. 

Keywords 

Quantum cryptography, multi-party protocols, secure function eval- 
uation, distributed computing 

1. INTRODUCTION 

Secure distributed protocols have been an important and fruitful 
area of research for modern cryptography. In this setting, there is a 
group of participants who wish to perform some joint task, despite 
the fact that some of the participants in the protocol may cheat in 
order to obtain additional information or corrupt the outcome. 

We investigate a quantum version of an extensively studied clas- 
sical problem, secure multi-party computation (or secure function 
evaluation), first introduced by |M]. A multi-party quantum com- 
puting (MPQC) protocol allows n participants Pi, P2, . . . , P n to 
compute an n-input quantum circuit in such a way that each party 
Pi is responsible for providing one of the input states. The output 
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of the circuit is broken into n components Tii ® . . . ® Tin, and 
Pi receives the output Tli . Note that the inputs to this protocol are 
arbitrary quantum states — the player providing an input need only 
have it in his possession; he does not need to know a classical de- 
scription of it. Moreover, unlike in the classical case, we cannot 
assume without loss of generality that the result of the computa- 
tion will be broadcast. Instead, each player in the protocol receives 
some part of the output. 

Informally, we require two security conditions: 

- Soundness and Completeness: no coalition of t or fewer cheaters 
should be able to affect the outcome of the protocol beyond their 
ability to choose their inputs. 

- Privacy: no coalition of t or fewer cheaters should learn anything 
beyond what they can deduce from their initial knowledge of their 
input and from their part of the output. 

Verifiable Quantum Secret Sharing. In order to construct mpqc 
protocols, we consider a subtask which we call verifiable quantum 
secret sharing. In classical cryptography, a verifiable secret sharing 
scheme [^] is a two phase protocol with one player designated as 
the "dealer". After the first phase {commitment), the dealer shares 
a secret amongst the players. In the second phase {recovery), the 
players reconstruct the value publicly. 

The natural quantum version of this allows a dealer to share a 
state p (possibly unknown to him but nonetheless in his posses- 
sion). Because quantum information cannot be cloned, we cannot 
require that the state be reconstructed publicly; instead, the recov- 
ery phase also has a designated player, the reconstructor R. We 
require that, despite any malicious actions by < t players: 

- Soundness: As long as R is honest and the dealer passes the com- 
mitment phase successfully, then there is a unique quantum state 
which can be recovered by R. 

- Completeness: When D is honest, then he always passes the com- 
mitment phase. Moreover, when R is also honest, then the value 
recovered by R is exactly TJ's input p. 

- Privacy: When D is honest, no other player learns info about TJ's 
input until the recovery step. 

Note that for quantum data, the privacy condition is redundant: 
any information obtained about the shared state would imply some 
disturbance of that state, contradicting the completeness require- 
ment. 

Contributions. We give a protocol for verifiable quantum secret 
sharing that tolerates any number t < n/4 of cheaters. We show 
that this is optimal, by proving that VQSS is impossible when t > 
n/4. Based on techniques from fault-tolerant quantum comput- 
ing, we use our VQSS protocol to construct a multi-party quantum 
computation protocol tolerating any t < n/6 cheaters. (MPQC is 
similar to standard fault-tolerance but with a different error model, 
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see Previous Work). Our protocols run in time polynomial in both 
n, the number of players, and k, the security parameter. The error 
of the protocols is exponentially small in k. 

Beyond these specific results, there are a number of conceptual 
contributions of this paper to the theory of quantum cryptographic 
protocols. We provide a simple, general framework for defining 
and proving the security of distributed quantum protocols in terms 
of equivalence to an ideal protocol involving a third party. This fol- 
lows the definitions for classical multi-party protocols. The anal- 
ysis of our protocols leads us to consider various notions of local 
"neighborhoods" of quantum states, and more generally of quan- 
tum codes. We discuss three notions of a neighborhood. The no- 
tion most often used for the analysis of quantum error correction 
and fault-tolerance is insufficient for our needs, but we show that 
a very natural generalization (specific to so-called "CSS" codes) is 
adequate for our purposes. Along the way, we provide modified 
versions of the classical sharing protocols of The new property 
our protocols have is that dealers do not need to remember the ran- 
domness they use when constructing shares to distribute to other 
players. This allows them to replace a random choice of coins with 
the superposition over all such choices. 

1.1 Previous Work 

Classical MPC. Multi-party computing was introduced by Goldre- 
ich, Micali and Wigderson Jl3[], who showed that under computa- 
tional assumptions, secure multi-party evaluation of any function 
was possible tolerating any minority of cheating players, i.e. if and 
only if t < 2.. If one assumes pairwise secure channels but no 
computational assumptions, then one can compute any function se- 
curely if and only ift<n/3|g[Q|. If one further assumes the 
availability of a secure broadcast channel, then one can in fact tol- 
erate t < n/2, and no more (|^l|, ^, 0])- All of these protocols 
rely on verifiable secret sharing as a basic tool. Our solution draws 
most heavily on the techniques of Chaum, Crepeau and Damgard 
f ■ 

Beyond these basic protocols, much work has focused on finding 
proper definitions of security, e.g. [ |l4[ ^, [Ti| ^ q|. We adopt a 
simple definition based on the initial definitions of Canetti. 

Quantum Secret Sharing. Relatively little work exists on multi- 
party cryptographic protocols with quantum data. Secret sharing 
with a quantum secret was first studied by Cleve et al. Jlo|], who 
showed an equivalence with quantum error-correctingcodes (QECC) 
Their scheme is the basis of our protocols. Chau Urn deals with 
classical computations, but also mentions the problem of verifiable 
quantum secret sharing as an open question. 

Fault-tolerant Quantum Computing. The goal of ftqc is to 
tolerate non-malicious faults occurring within a single computer. 
One assumes that at every stage in the computation, every qubit 
in the circuit has some known probability p of suffering a random 
error, i.e. of becoming completely scrambled. Moreover, errors are 
assumed to occur independently of each other and of the data in the 
computation. 

One can view multi-party computation as fault-tolerant comput- 
ing with a different error model, one that is suited to distributed 
computing. The MPQC model is weaker in some respects since 
we assume that errors will always occur in the same, limited num- 
ber of positions, i.e. errors will only occur in the systems of the 
t corrupted players. In other respects, the error model of MPQC is 
stronger: in our setting errors may be maliciously coordinated. In 
particular, they will not be independently placed, and they may in 
fact depend on the data of the computation — the adversaries will 



use any partial information known about the other players' data, 
as well as information about their own data, to attempt to corrupt 
the computation. For example, several FTQC algorithms rely on the 
fact that at certain points in the computation, at most one error is 
likely to occur. Such algorithms will fail when errors are placed 
adversarially. Techniques from FTQC are nonetheless useful for 
multi-party computing. We will draw most heavily on techniques 
due to Aharonov and Ben-Or ph. 

1.2 Definitions and Model 

In this paper, we use a simple simulation-based framework for 
proving the security of quantum protocols, similar to early classical 
definitions. We specify a task by giving a protocol for implement- 
ing it in an ideal model where players have access to a trusted third 
party TTV. We prove a given protocol secure by showing a simu- 
lator which translates any attack in the real-world protocol into an 
(almost) equally successful attack in the ideal model. 

We assume that every pair of participants is connected by per- 
fect (i.e. authenticated, unjammable, secret) quantum and classi- 
cal channels, and that there is a classical authenticated broadcast 
channel to which all players have access. Because we will always 
consider settings where t < ~, we can also assume that players can 
perform classical multi-party computations securely [jlj[]Q The ad- 
versary is an arbitrary quantum algorithm (or family of circuits) A 
(not necessarily polynomial time), and so the security of our proto- 
cols does not rely on computational assumptions. 

The real and ideal modelSjas well as the notion of security, are 
specified more carefully in [E2I] . In this paper, we use the following 
informal specifications of the ideal protocols. The real protocols 
are secure if they succeed in simulating the ideal ones. 

Multi-party Quantum Computation. All players hand their in- 
puts to the TTV, who runs the desired circuit and hands back the 
outputs. Note that the only kind of cheating which is possible is 
that cheaters may choose their own input. In particular, cheaters 
cannot force the protocol to abort. 

Verifiable Quantum Secret Sharing. In the sharing phase, the 
dealer gives his secret system to the trusted party. In the reconstruc- 
tion phase, the TTV sends the secret system to the reconstructor 
R. The only catch is that in the ideal model, honest players should 
not learn the identity of R until after the first phase has finished 
(otherwise, D could simply send the secret state to R in the first 
phase without violating the definition). 

1.3 Preliminaries 

We present the notation necessary for reading the protocols and 
proofs in this paper. For a more detailed explanation of the relevant 
background, see or a textbook such as Jl^]. 

We will work with p-dimensional quantum systems, for some 
prime p > n. Such a system is called a qupit, and the "compu- 
tational" basis states are labelled by elements in F = Z p . We 
will also be working in the Fourier basis, which is given by the 
unitary transformation T\a) >— > ^2 b co ab \b). A basis for the oper- 
ators on a qupit is given by the p 2 Pauli operators X a Z b , where 
X\a) = a + 1) , Z\a) = uj a \a), and uj = exp(27ri/p). Tensor 
products of these operators yield the Pauli basis for the set of opera- 
tors on a register of qupits. The weight of a tensor product operator 
is the number of components in which it is not the identity I. 

Quantum Codes. The error-correcting codes used in this paper 
are quantum CSS codes. These are defined via two classical linear 

x In fact, even the assumption of a broadcast channel is not strictly 
necessary, since t < ^ in our setting. 
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codes V,W C Z£ such that V 1 - C IV. If we denote = 
span{|w) : w £ W} for a classical code W , then we can write 
the CSS code as C = V (9) n ^W (9) . Thus, C is the set of states 
of n qubits which yield a codeword of V when measured in the 
computational basis and a codeword of W when measured in the 
Fourier basis. 

Specifically, we will use quantum Reed-Solomon codes from 
[0], We specify a quantum RS code by a single parameter 8 < 
n/2. The classical Reed-Solomon code V s is the set of all vec- 
tors q = (5(1), q(2), . . . , q(n)), where q is any univariate poly- 
nomial of degree at most 8. The related code Vq is the subset 
of V 6 corresponding to polynomials which interpolate to at the 
point 0. That is: V s = {q : q £ F[x] : deg(q) < 8} and 
V S = {q : deg(q) < 8 and g(0) = 0} C V s . The code V s has 
minimum distance d = n — 8, and an efficient error correction pro- 
cedure. Let 5' = n — S — 1. There are constants <fi, d ?l £ Z p 
such that the dual of the code V s is just the code V S , rescaled 
by di in the i th coordinate; similarly, the dual of Vo* is a rescaled 
version of V s . Denote these duals by Wo , W s , respectively. 

The quantum code C s for parameter 8 is the CSS code obtained 
from codes V = V and W = W .It encodes a single qupit, and 
has minimum distance 8 + 1 (thus, it corrects t = \8/2\ errors). 
Moreover, errors can be corrected efficiently, given the syndrome 
of a corrupted codeword, i.e. the V syndrome measured in the 
computational basis and the W syndrome measured in the Fourier 
basis. 

Transversal Operations. A nice result from fault-tolerant com- 
puting [I5J] is that one can in fact perform many operations on 
data encoded by a quantum RS code using only local operations and 
classical information transmitted between the components. Con- 
sider the following gates: 

1. Shift: X c : \a) i-> \a + c), 

2. SUM: (c-X) : \a, b) t-> \a, a + b), 

3. Scalar multiplication: ^= c 6 F, S c : \a) 1— > |ac), 

4. Phase Shift: Z c : \a) h-> w ca \a), 

5. Fourier Transform: T r ■ \a) 1— ► -j= 2~2teF w rab \b), 

6. Toffoli (Multiplication): \a)\b)\c) h-> \a)\b)\c + ab). 

These gates are universal [^], in the sense that a sequence of these 
gates can approximate any unitary operation with arbitrary accu- 
racy. Beyond these, in order to simulate arbitrary quantum circuits 
one should also be able to introduce qupits in some known state 
(say |0}), as well as to discard qupits. For any CSS code, the gates 
[l] through ^ from the set above can be implemented transversally, 
that is using only local operations which affect the same component 
of two codewords. Measurement and the remaining two operations 
can be performed almost transversally. 

Measurement. For a quantum RS code, measuring each compo- 
nent of the encoding of \s) yields a vector q = (g(l), q(n)) 
where q(0) — s. This operation is not quite transversal since 
after the qupit-wise measurement, the classical information must 
be gathered together in order to extract the measurement result. 
Nonetheless, it can tolerate arbitrary corrupton of 8/2 of the po- 
sitions in the codeword if classical error correction is first applied 
to the vector of measurement results. 

Fourier and Toffoli gates. For CSS codes, applying the Fourier 
transform transversally maps data encoded with the codes V, W to 
the Fourier transform of that data, encoded with the dual code C 
defined via the codes W, V. For quantum RS codes, rescaling each 
component of the dual code of C s produces the code C 5 . This 



allows one to perform the map S c s \ip) 1— > £ c s> (J-\ip)), where Ec 
is the encoding map for a code C. 

When n = 28 + 1, we have 8' = 8, so the Fourier transform is 
in fact transversal, but the Toffoli gate is difficult to perform. 

When n = 38 + 1, neither the Fourier transform nor the Toffoli 
gate is transversal, but they can both be reduced to degree reduction 
via transversal operations Degree reduction maps an arbitrary 
state encoded using C s to \ip) encoded with C s . 

The circuit we use for degree reduction is due to Gottesman and 
Bennett JT^]. We start with one block encoded using C s (system 
Hi), and an ancilla block in the state £ c s \a)) (system 7^2). 
Perform a SUM gate from TI2 to Hi (this can be done transver- 
sally by a property of the codes C s ). Measure Tii in the compu- 
tational basis, obtaining b, and apply X b S-i to Ti.2- The system 
TL2 now contains the data, encoded using C s . This entire proce- 
dure can be performed transversally except for the measurement 
step. However, as noted above, measurement requires only classi- 
cal communication between the components. 

2. NEIGHBORHOODS OF QUANTUM 
CODES 

One of the ideas behind classical multi-party computing proto- 
cols is to ensure that data is encoded in a state that remains "close" 
to a codeword, differing only on those positions held by cheaters 
(call that set B). For classical codes, "close" means that the real 
word v should differ from a codeword only on B, so that any er- 
rors introduced by cheaters are correctable. For a code W, let the 
B-neighborhood Wb be the set of vectors differing from a code- 
word of W by positions in B, i.e., 

Wb = {v : 3w £ W s.t. supp(v — w) £ B} . 

Equivalently, one can define Wb as the set of words obtained by 
distributing a (correct) codeword to all players, and then having all 
players send their shares to some (honest) reconstructor R. 

For quantum codes, there is more than one natural definition 
of the neighborhood corresponding to a set B of positions. Let 
{1, ...,n} be partitioned according to two sets A, B. We say a 
mixed state p is "in" C if all states in the mixture lie in C, i.e. 
Tr(Pep') = 1 where Pc is the projector onto C. We consider three 
definitions of a "B-neighborhood" of a CSS code C. Let p be an 
arbitrary state of the coding space. 

1 . p differs from a state in C only by some quantum superoperator 
O acting only on B: 

N B (C) = {p : 3p' inC,3Cs.t. p= 0{p')}. 

2. p cannot be distinguished from a state in C by looking only at 
positions in A. 

ST B {C) = {p : 3p' inCs.t.Tr B (p) =Tr s (p')}- 

3. Specifically for CSS codes, one can require that the state p pass 
checks on A in both bases, i.e. that measuring either the Vb 
syndrome in the computational basis, or the Wb syndrome in 
the Fourier basis, yields 0. The set of states which pass this test 
is: C B = V { B q) n F® n W ( B q) . 

In general, these notions form a strict hierarchy: 
Nb (C) S STb{C) C Cb- Only notion (||) is always a subspace 
(see p2j ] for details). 

In the analysis of quantum error correction and fault-tolerance 
schemes, it is sufficient to consider notion ([[]), for two reasons. On 
one hand, one starts from a correctly encoded state. On the other 
hand, the errors introduced by the environment will be independent 
of the encoded data (and in fact they must be for error correction to 
be possible at all in that context). 
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In our setting, however, we cannot make such assumptions. The 
cheaters might possess states which are entangled with the data in 
the computation, and so the errors they introduce will not be inde- 
pendent of that data. Instead, we show that our verifiable sharing 
protocol guarantees a condition similar to notion (^) (see Lemma pT|), 
In order to provide some intuition for the proofs of Section ^, we 
characterize notion (3) below. 

Well-Definedness of Decoding for Cb ■ The set Cb is a subspace, 
since it is defined in terms of measurement outcomes. More partic- 
ularly, it is spanned by the states of Nb (C): 



LEMMA 2.1. If p is in C B = V { B q) n J™ n Wg', then we can 
write p = where \ipi) = J2j c *j Ej\4>ij), the Ej 

are Pauli operators on B and \ (j>ij) 6 C. 

Proof: To check if p is in Cb, we measure the Vb syndrome in 
the computational basis and the Wb syndrome in the Fourier basis. 
However, the distribution on this outcome measurement will not 
change if we first measure the V and W syndromes, i.e. if we first 
make a measurement which projects p into one of the subspaces 
EjC (i.e. p maps to p' = PjpPj with probability Tr (Pjp), where 
Pj is the projector for the space EjC). 

The new state p' lies completely in one of the spaces EjC. How- 
ever, EjC is either contained in Cb (if there is an operator equiva- 
lent to Ej which acts only on B) or orthogonal to Cb (if no such 
operator exists). 

Thus Tr (Pjp) = for all Ej which act on more than B. Hence 
p is a mixture of states \ipi) each of which is a linear combination 
of elements of the spaces {EjC}, where Ej acts only onB. □ 

This has a useful corollary, namely that decoding is well-defined 
for states in Cb- Formally, there are two natural "reconstruction 
operators" for extracting the secret out of a state which has been 
shared among several players. Suppose that C has distance d > 
2t + 1 and \B\ < t. First, V is the decoding operator for the error- 
correcting code C, which would be applied by an honest player 
holding all of the shares. For any operator Ej of weight less than 
t and for any state £\<j>) in C, we have T)Ej£\cj>) = \(f>) (g) \j) 
(i.e. the error is not only corrected but also identified). It will 
then discard the system containing the syndrome information 
Second, 1Z 1 is the "ideal recovery operator", defined by identifying 
the set B of cheaters and applying the simple interpolation circuit 
to any set of n — 2t good players' positions (this corresponds to 
erasure recovery). 

PROPOSITION 2.2. For any state p in Cb, the state TZ. 1 (p) is 
well-defined and is equal to T)(p). 

Our protocols guarantee conditions similar to Cb, and well-definedness 
is essential for proving simulatability. 

Proof: Consider a particular basis state Ej£\a). The decoding op- 
erator V will produce the state \a) \j), since errors of weight at most 
t can be identified uniquely. The ideal operator 1Z 1 will extract the 
encoded state \a). Without loss of generality, the ideal recovery 
operator will replace \a) with |0), the final output \a) (8> Ej£ |0). 

In both cases, the output can be written as \a) tensored with 
some ancilla whose state depends only on the syndrome j (and 
which identifies j uniquely). Once that state is traced out, the out- 
puts of both operators will be identical. Another way to see this 
is that the ideal operator can simulate the real operator: one can 
go from the output of the ideal operator to that of the real oper- 
ator by applying a transformation which only affects the ancilla. 
For a state p expressed as in Lemma 
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the final outcome will be 



3. A TWO LEVEL VQSS PROTOCOL 

In this section we define a two-tiered protocol for VQSS. It is 
based on the VQSS protocols of [^] as well as on the literature on 
quantum fault-tolerance and error correction, most notably on 
Detailed proofs for the claims of this section are in [0]. However, 
some intuition is given by the proofs of Section ^. 

3.1 Sharing Shares: 2-GOOD Trees 

In the VSS protocol of [Q], the dealer D takes his secret, splits 
it into n shares and gives the i th component to player i. Player i 
then shares this secret by splitting it into n shares and giving the 
j th share to player j. Thus, there are n 2 total shares, which can be 
thought of as the leaves of a tree with depth 2 and fan-out n: each 
leaf is a share; the i th branch corresponds to the shares created by 
player i, and the root corresponds to the initial shares created by 
the dealer. Player j holds the j th leaf in each branch of this tree. 
We will run a cut-and-choose protocol in order to guarantee some 
kind of consistency of the distributed shares. 

During the protocol we accumulate n+1 sets of apparent cheaters: 
one set B for the dealer (this corresponds to a set of branches em- 
anating from the root), and one set Bi for each player i (this cor- 
responds to a subset of the leaves in branch i). These sets all have 
size at most t. At the end of the protocol, we want to guarantee 
certain invariants. Say V has minimum distance > 2t, and each 
codeword corresponds to a single value a £ 1 V . 

DEFINITION 1 (2-GOOD TREES). We say a tree oj 'n 2 field el- 
ements is 2-GOOD with respect to the code V and the sets B, Bi, B„ 
ifi 

1. For each i <jL C (i.e., corresponding to an honest player), we 
have Bi C C, i.e. all apparent cheaters are real cheaters. 

2. For each branch i £ B, the shares held by the honest players 
not in Bi should all be consistent with some codeword in V, i.e. 
the vector of all shares should be in V&jUC, where C is the set 
of cheating players. 

N.B.: Because there are at most t players in Bi and at most t 
cheaters, there are at least d + 1 < n — 2t honest players re- 
maining, and so the polynomial above is uniquely defined. This 
guarantees that for each branch i B, there is a unique value 
at 6 F which is obtained by interpolating the shares of the 
honest players not in Bi. 

3. For i B, the values a% defined by the previous property are 
all consistent with a codeword ofV (i.e. the vector (ai, a n ) 
is in Vb )■ 

We will abbreviate this as 2-GOODy, when the sets B, B\ B n 

are clear from the context. 

3.2 VQSS Protocol 

The VQSS protocol is described in Protocols [l] and ^. Intuitively, 
it guarantees that a tree of quantum shares would yield a 2-GOOD 
tree of classical values if measured in either the computational basis 
or the Fourier basis. We use the codes V = V s = V s and W = 
W s = W s ', with n = 4t+l, 5 = 6' = 2t, although there is in fact 
no need to do this: the protocol will work for any CSS code with 
distance at least 2t + 1, so long as the codes V, W are efficiently 
decodable. 

The protocol can be tweaked for efficiency. The final protocol 
takes three rounds. Each player sends and receives 0(n + log -) 
qubits, and the broadcast channel is used O (n(n + log -)) times 
overall, where e is the soundness error of the protocol (this requires 
setting k = n + log(-)). 

Why is this a secure VQSS protocol? We want to show that the 
protocol is equivalent to the "ideal model", where at sharing time 
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PROTOCOL 1 (VQSS — SHARING PHASE). Dealer D gets as input a quantum system S to share. 

• Sharing: 

1. The dealer D prepares (k + l) 2 systems ofn qupits each, called Sz, m (for I = 0, k and m = 0, k): 

(a) Encodes S using C in So,o- 

(b) Prepares k systems S ,i, — , S 0;k in the state J2 a eF £c\o) = J2vev \ v )- 

(c) Prepares k(k + 1) systems Se, m ,for £ — 1, k and m — 0, k, each in the state 0) = Eugvb 

(d) For each of the (k + l) 2 systems St,m, D sends the i th component (denoted Si ) to player i. 

2. Each player i, for each £, m = 0, ...k: 

ti) 

(a) Encodes the received system Si using C into an n qupit system St,m,i- 

(b) Sends the j th component S\^ m i to player j. 

• Verification: 

1. Get public random values bi, b k Er F. For each £ = 0, k, m — 1, k, each player j: 

(a) Applies the SUM gate (c-X m ) to his shares of the systems Si,o,i and Se. m> i. 

(b) Measures his share of St.m.i and broadcasts the result (i.e. each player broadcasts k(k + l)n values). 

(c) For each i £ {1, n}, players update the set Bi based on the broadcast values: there are (k + l)kn broadcast 
words Wt, m ,i- Applying classical decoding to each of these yields min-weight error vectors ei, m ,i with supports 
Bi, m ,i- Set Bi — lli,mBi, m ,i- If there are too many errors, add i to the global set B. 

(d) Furthermore, players do the same at the root level: for all i £ B, there is an interpolated value at which corresponds 
to the decoded codeword from the previous step. Players also decode the codeword (at, ...,a n ) and update B 
accordingly (i.e. by adding any positions where errors occur to B). 

2. All players apply the Fourier transform T to their shares. 

3. Get public random values b[, b' k £r F. For £ = 1, k, each player j: 

(a) Applies the SUM gate (c-X bl ) to his shares of the systems So,o,i and St,o,i- 

(b) Measures his share of Se,o,i an d broadcasts the result (i.e. each player broadcasts kn values ). 

(c) For each i £ {1, n}, players update Bi and B based on the broadcast values (as in Step |/q ). 
[Note: the sets B and B\, B n are cumulative throughout the protocol.] 

4. All players apply the inverse transform T~ to their shares of Sq,o- 

• The remaining shares (i.e. the components of the n systems So,o,i)farm the sharing of the state p. 



Protocol 2 (vqss — Reconstruction Phase). Player j sends his share of each of the systems So,o,i to the receiver 
R, who runs the following decoding algorithm: 

1. For each branch i: Determine if there is a set Bi such that Bi C Bi, \Bi\ < t and the shares of So,o,i lie in Cg.. 
If not, add i to B. Otherwise, correct errors on Bi and decode to obtain a system S[. 

2. Apply interpolation to any set ofn — 2t points not in B. Output the result S . 



the dealer sends his secret system 5 to a trusted outside party, and 
at reveal time the trusted party sends S to the designated receiver. 
To do that, we will use two main technical claims. 

Soundness. We must show that at the end of the protocol, if the 
dealer passes all tests then there is an well-defined "shared state" 
which will be recovered by the dealer. To do so, we guarantee a 
property similar to Cc (notion ^ of Section ^). 

LEMMA 3.1. The system has high fidelity to the following state- 
ment: "Either the dealer is caught (i.e. \B\ > t) or measuring all 
shares in the computational (resp. Fourier) basis would yield a 
2-GOOD tree with respect to the code V (resp. W)." 

Proof of this is via a "quantum-to-classical" reduction, similar to 
that of Jl^]. First, checks in the computational and Fourier bases 
don't interfere with each other, since they commute for CSS codes. 
Second, in a given basis, we can assume w.l.o.g. that all ancillae are 
first measured in that basis, reducing to a classical analysis similar 
toft. 



Ideal Reconstruction. In order to prove soundness carefully, we 
define an ideal interpolation circuit 1Z 1 for 2-GOOD trees: pick the 
first n — 2t honest players not in B, say i\, i n -2t- For each ij, 
pick n — 2t honest players not in Bi - and apply the normal inter- 
polation circuit (i.e. erasure-recovery circuit) for the code to their 
shares to get some qupit R4. . Applying the interpolation circuit 
again, we extract some system S which we take to be the output of 
the ideal interpolation. 

The real recovery operator T> is given by Protocol^. The follow- 
ing lemma then applies, following essentially from Proposition 1.2. 



LEMMA 3.2. Given a tree of qupits which is 2-GOOD in both 
bases, the outputs of 1Z 1 and T> are the same. In particular, this 
means that no changes made by cheaters to their shares can affect 
the outcome ofT>. 



Lemmas 3.1 and 3.2 show that there is essentially a unique state 



which will be recovered in the reconstruction phase when the re- 
ceiver R is honest. 

Completeness. As discussed earlier, the protocol is considered 
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complete if when the dealer is honest, the state that is recovered 
by an honest reconstructor is exactly the dealer's input state. The 
key property is that when the dealer D is honest, the effect of the 
verification phase on the shares which never pass through cheaters' 
hands is the identity. 

Consider the case where the dealer's input is a pure state \ip). 
On one hand, we can see by inspection that an honest dealer will 
always pass the protocol. Moreover, since the shares that only go 
through honest players' hands remain unchanged, it must be that 
if some state is reconstructed, then that state is \%f)), since the ideal 
reconstruction operator uses only those shares. Finally, we know 
that since the dealer passed the protocol the overall tree must be 
2-GOOD in both bases, and so some value will be reconstructed. 
Thus, on input \ip), an honest reconstructor will reconstruct \ip). 
We have proved: 

LEMMA 3.3. If D and R are honest, and the dealer's input is 
a pure state then R will reconstruct a state p with fidelity 1 — 
2 -nW to the state \tp). 

Not surprisingly, this lemma also guarantees the privacy of the 
dealer's input. By a strong form of the no cloning theorem, any in- 
formation the cheaters could obtain would cause some disturbance, 
at least for a subset of the inputs. Thus, the protocol is in fact also 
private. 

Simulatability. The claims above show that the protocol satisfies 
an intuitive notion of security. In this section we sketch a proof 
that the protocol satisfies a more formal notion of security: it is 
equivalent to a simple ideal model protocol. The equivalence is 
statistical, that is the outputs of the real and ideal protocols may 
not be identical but will have very high fidelity to one another. 

THEOREM 3.4. Protocols^andQare a statistically secure VQSS 
scheme. 



The ideal protocol is sketched in Section 1.2. To show equiva- 
lence, we will give a transformation that takes an adversary Ai for 
our protocol and turns it into an adversary A2 for the ideal proto- 
col. To give the transformation, we exhibit a simulator S which 
acts as an intermediary between Ai and the ideal protocol, making 
Ai believe that it is experiencing the real protocol. 

The idea is that the simulator will simulate the regular VQSS pro- 
tocol either on input provided by a cheating dealer or on bogus data 
|0), and then extract and/or change the shared state as needed. 

We give a sketch of the simulation procedure in Algorithm [jj 
Why does this simulation work? 
1. When D is cheating: 

(a) When R is cheating, the simulation is trivially faithful, since 
there is no difference between the simulation and the real pro- 
tocol: 5 runs the normal sharing protocol, then runs the in- 
terpolation circuit, sending the result to TTV. In the recon- 
struction phase, <S gets the same state back from TTV, and 
runs the interpolation circuit in reverse. Thus, the two execu- 
tions of the interpolation circuit cancel out. 

(b) When R is honest, the faithfulness of the simulation comes 
from Lemma 3.2: in the real protocol, R outputs the result of 



the regular decoding operator. In the simulation, R gets the 
output of the ideal interpolation. Since the shared state has 
high fidelity to a 2-GOOD tree (by Lemma 3.1), the outputs 
will be essentially identical in both settings (i.e. they will 
have high fidelity). 
2. When D is honest: 
(a) When R is also honest, the faithfulness of the simulation fol- 
lows from the completeness and privacy properties of the real 



protocol. Privacy implies that the adversary Ai cannot tell 
that it is actually participating in a sharing of |0) rather than 
the dealer's state, and completeness means that R in the real 
protocol gets a state with high fidelity to that received by R 
in the ideal protocol, 
(b) When R is a cheater, S does not get S from TTV until the 
reconstruction phase. Then he applies the ideal interpola- 
tion circuit to extract the ]0) state used during the verification 
phase, swaps S with |0), then runs the ideal interpolation cir- 
cuit backwards. Since the ideal interpolation circuit only acts 
on shares of the honest players, <S is capable of performing 
these operations without tipping off Ai to the fact that it is in 
a simulation. By the completeness property of the real proto- 
col and the no-cloning theorem, the residual state left over af- 
ter the ideal interpolation circuit (i.e., the state of the cheaters) 
has almost no correlation to the data shared using the circuit, 
so swapping in S and running the circuit backwards gives us 
a state with high fidelity to the state that would have resulted 
from sharing S directly with the same Ai. Thus, the simula- 
tion is faithful in this case as well. 



We have essentially proved Theorem 3.4 



3.3 Additional Properties 

Two-level sharings produced by the same dealer (using the proto- 
col above) have some additional properties, which will be useful for 
multi-party computation. First of all, notice that there is no prob- 
lem in tracking the sets B, B\, B n incrementally across various 
invocations of the protocol for the same dealer, and so we assume 
below that these sets are the same for different sharings from the 
same dealer. 

1. Some operations can be applied transversally to valid sharings. 
Applying the linear operation (x, y) 1— > (x, y + bx) (denoted 
c-X h ) to all shares of two sharings effectively applies c-X b 
to the shared states. Similarly, applying the Fourier rotation 
transversally changes the sharing to the dual code and applies a 
logical Fourier rotation. Finally, measuring all shares of a valid 
sharing in the computational basis and applying classical decod- 
ing yields the same result as measuring the shared state. Thus, 
players can measure without exchanging quantum information. 

2. The dealer can additionally use the protocol to prove to all play- 
ers that the system he is sharing is exactly the state |0): the 
ancillas he uses in this case will all be sharings of |0) (instead 
of \ a ))- The verification step is the same as before, except 
now players verify that the reconstructed codeword at the top 
level interpolates to 0. Similarly, the dealer can prove that he is 
sharing a state ~}2 a \a). This will be useful for sharing ancillas 
in the MPQC protocol. 

4. LOWER BOUND FOR VQSS 

LEMMA 4.1. No 4-player VQSS scheme tolerates one cheater. 

Proof: Suppose such a scheme exists. Consider a run of the proto- 
col in which all players behave perfectly honestly until the end of 
the sharing phase, at which point one (unknown) player introduces 
an arbitrary error. However, an honest "receiver" Ruth, given ac- 
cess to the state of all players, must still be able to recover the 
shared state. Thus, the joint state of all players constitutes a four- 
component QECC correcting one error. However, no such code ex- 
ists, not even a mixed-state one, by the quantum Singleton bound [jl^ 
□ 

The optimality of our VQSS scheme is an immediate corollary, 
since any protocol tolerating n/4 cheaters could be used to con- 
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Algorithm 1. Simulation for vqss (Protocolm) 

• Sharing/Verification phase 

- If D is a cheater, S must extract some system to send to TTV: 

1. Run Sharing and Verification phases of Protocol 0, simulating honest players. If D is caught cheating, send "I am 
cheating " from D to TTV. 

2. Choose n — It honest players not in B and apply ideal interpolation circuit to extract a system S. 

3. SendS to TTV. 

- If D is honest, S does not need to send anything to TTV, but must still simulate the sharing protocol. 

1. Simulate an execution of the Sharing and Verification phases of Protocol |/| using |0) as the input for the simulated 
dealer D' . 

2. Choose n — It honest players (they will automatically not be in B since they are honest) and apply the ideal 
interpolation circuit to extract the state 0). 

3. The honest D will send a system S to TTV. 

Note: Regardless of whether D is honest or not, at the end of the sharing phase of the simulation, the joint state of the 
players' shares is a tree that is (essentially) 2-GOOD in both bases, and to which the ideal interpolation operator has been 
applied. Let I be the set ofn — It honest players (not in B or C) who were used for interpolation. 

• Reconstruction phase 

- If R is a cheater, S receives the system S from TTV. S runs the interpolation circuit backwards on the positions in 
I, with S in the position of the secret. S sends the resulting shares to R. 

- If R is honest, the cheaters send their corrupted shares to S. These are discarded by S. 
In both cases, S outputs the final state of Ai as the adversary's final state. 



struct a four-person protocol tolerating one cheater by having each 
participant simulate n/4 players in the original protocol: 

THEOREM 4.2. No VQSS scheme for n players exists which tol- 
erates all coalitions of \n / 4] cheaters. 

Note that we have only proved the impossibility of perfect VQSS 
protocols. However, the quantum Singleton bound still holds when 
exact equality is replaced by approximate correctness, and so in 
fact even statistical VQSS schemes are impossible when t > n/4. 

5. MULTI-PARTY COMPUTATION 

In this section we show how to use the VQSS protocol of the pre- 
vious section to construct a multi-party quantum computing scheme. 
First, we give a modified VQSS protocol. At the end of the protocol, 
all players hold a single qupit. With high fidelity, either the dealer 
will be caught cheating or the shares of all honest players will be 
consistent in both the computational and Fourier bases, i.e. there 
is no set B of "apparent cheaters". We then apply fault-tolerant 
techniques to achieve secure distributed computation. 

5.1 Top-Level Sharing Protocol 

We will now restrict attention to protocols tolerating t < n/6 
cheaters, instead of t < n/4 cheaters as before. Thus, we take 
n — 6t + 1 for simplicity, and as before we set 8 = 2t (thus 
8' = 4t). We will work with the CSS code C given by V = V s and 
W = W 5 . Recall that this is the CSS code for which there exist 



nearly-transversal fault- tolerant procedures (Section 1.2). Our goal 
is to share a state so that at the end all shares of honest players lie 
in C c = V^ q) C\T® n W^. 

The new scheme is given in Protocol ^. The idea is that the pre- 
vious VQSS scheme allows distributed computation of linear gates 
and Fourier transforms on states shared by the same dealer. It also 



allows verifying that a given shared state is either |0) or ^ l a )- The 
players will use this to perform a distributed computation of the en- 
coding gate for the code C. Thus, the dealer will share the secret 
system S, as well as 8 states 2~2\ a ) an d n — S — 1 states 1 0) . Players 
then apply the (linear) encoding gate, and each player gets sent all 
shares of his component of the output. As before, the main lemmas 
are soundness and completeness of the protocol: 

LEMMA 5.1 (SOUNDNESS). At the end of the sharing phase, 
the system has high fidelity to "either the dealer is caught or the 
players' shares S\...S n lie in Cc "■ 

Lemma 5.2 (Completeness). When D is honest, on pure 
state input \ip), the shared state will have high fidelity to span {^IVOIc 
(i.e. will differ from £\tp) only on the cheaters' shares). 

Note the dealer can also prove that he has shared a |0) state (by 
showing that his input is |0)). 

5.2 Distributed Computation 

Given the protocol of the previous section, and known fault- 
tolerant techniques, there is a natural protocol for secure multi- 
party computation of a circuit: have all players distribute their in- 
puts via the top-level sharing (Protocol j^); apply the gates of U 
one-by-one, using the (essentially) transversal implementation of 
the gates described in Section [L3; then have all players send their 
share of each output to the appropriate receiver. See Protocol ^. 

The only sticking point in the analysis is that the fault-tolerant 
procedures require some interaction when measuring a shared state. 
All players measure their share and broadcast the result, applying 
classical decoding to the resulting word. If the errors occurring in 
the measured ancilla were somehow correlated or entangled with 
errors in the real data, one could imagine that measuring and broad- 
casting them might introduce further entanglement. However, this 
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Protocol 3 (Top-Level Sharing). Dealer D takes as input a qupit S to share. 

• I. (Distribution) The dealer D: 

(a) Rims the level 2 VQSS protocol on input S. 

(b) For i — 1, 8: Runs level 2 sharing protocol to share state |a) (see Remark^ in Section [?. j[ ) 

(c) Fori = 1, n — 5 — 1: Runs level 2 sharing protocol to share state |0) ( see Remark p| in Section 

Denote the n shared systems by Si,...,S n (i-e. Si corresponds to S, &, Ss+i correspond to 2^2 a \ a ) ant ^ 
Ss+2, Sn correspond to \0)). Note that each Si is a two-level tree, and thus corresponds to n components in the 
hands of each player. 

2. (Computation) Collectively, the players apply the Vandermonde matrix to their shares of Si, S n . (If D is honest 
then system Si encodes the i-th component of an encoding of the input S). 

3. For each i, all players send their shares of Si to player i, who decodes them (as per Protocol Q). 

• Quantum Reconstruction Input to each player i is the share Si and the identity of the receiver R. 

1. Each player i sends his share Si to R. 

2. R outputs T>(Si, S n ) and discards any ancillas (D is the decoding algorithm for C). 



Protocol 4 (Multi-party Quantum Computation). 

1. Input Phase: 

(a) For each i, player i runs Fop-Level Sharing with input Si. 

(b) If iis caught cheating, then some player who has not been caught cheating yet runs Top-Level Sharing (Protocol [|), except 
this time with the one-dimensional code span{£c|0)} (i.e. he proves that the state he is sharing is |0)j. If the sharing 
protocol fails, then another player who has not been caught cheating runs the protocol. There will be at most t iterations 
since an honest player will always succeed. 

(c) For each ancilla state 0) needed for the circuit, some player who has not been caught cheating yet runs Top-Level Sharing 
(Protocol^, with the one-dimensional code spa.n{£ c s 0)} or span{£ c y |0)}, as needed. If the protocol fails, another 
player performs the sharing, and so forth. 

2. Compu tatio n Phase: For each gate g in the circuit, players apply the appropriate fault-tolerant circuit, as described in 



Section 



1.3 



Only the measurement used in Degree Reduction is not transversal. To measure the ancilla: 



(a) Each player measures his component and broadcasts the result in the computational basis. 

(b) Let w be the received word. Players decode w (based on the scaled Reed-Solomon code W S ), and obtain the measurement 
result b. 

3. Output Phase: For the i th output wire: 

(a) All players send their share of the output wire to player i. 

(b) Player i applies the decoding operator for C and outputs the result. If decoding fails (this will occur only with exponentially 
small probability), player i outputs |0). 



will not be a problem: on one hand, any errors will occur only in the 
cheaters' shares, and so provide nothing beyond what the cheaters 
could learn themselves; on the other hand, the honest players will 
discard all the information from the broadcast except the decoded 
measurement result (each honest player performs the decoding lo- 
cally based on the broadcast values, so all honest players obtain the 
same result). Again, the cheaters can do this themselves. 

LEMMA 5.3. Suppose that all inputs and ancillas are shared 
at the beginning via states in Cc- Then the result of applying the 
protocol for a given circuit U, and then sending all states to an 
honest decoder R is the same as sending all states to R and having 
R apply U to the reconstructed states. 

THEOREM 5.4. For any circuit U, Protocol Q is a statistically 
secure implementation of multi-party quantum computation as long 
ast< n/6. 

Proof: The proof of this is by simulation, as before. The key obser- 
vation is that when the simulator S is controlling the honest players, 
the adversary cannot tell the difference between the regular proto- 
col and the following ideal-model simulation: 



1. S runs the input phase as in the protocol, using |0) as the in- 
puts for honest players. In this phase, if any dealer is caught 
cheating, S sends "I am cheating" to the TTV on behalf of that 
player. 

2. S "swaps" the cheaters' inputs with bogus data |0), and sends 
the data to the TTV. That is, he applies the interpolation circuit 
to honest players' shares to get the various input systems Si (for 
i 6 C), and then runs the interpolation circuit backwards, with 
the state |0) replacing the original data. 

3. S now runs the computation protocol with the adversary on the 
bogus data. (Because no information is revealed on the data, the 
adversary cannot tell this from the real protocol.) 

4. S receives the true computation results destined to cheating 
players from TTV. 

5. S "swaps" these back into the appropriate sharings, and sends 
all shares of the i th wire to player i (again, he does this only for 
i e C). 

The proof that this simulation succeeds follows from the security of 
the top-level sharing protocol and the previous discussion on fault- 
tolerant procedures. □ 
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6. OPEN QUESTIONS 

Given our results, the most obvious open question is if MPQC 
is possible when n/6 < t < n/4. Another natural direction of 
research is to find a VQSS protocol with zero error. For example, 
the techniques of [||] for the classical case do not seem to apply to 
the quantum setting. Finally, one can ask what tasks are achiev- 
able when we allow cheating players to force the abortion of the 
protocol (usually called an "optimistic protocol"). 
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